added roles assumable

2018-09-25 16:22:30 -04:00
parent e66a273277
commit 75ea430cef
2 changed files with 33 additions and 0 deletions
--- a/libs/iam.py
+++ b/libs/iam.py
@@ -455,6 +455,33 @@ def iam_list_roles():
    except KeyboardInterrupt:
        print("CTRL-C received, exiting...")

+def iam_list_roles_assumable():
+    '''
+    Lists the IAM roles that have the specified path prefix. If there are none, the operation returns an empty list
+    '''
+    print("### Roles that can be Assumed by AWS Principals ###")
+    try:
+        for region in regions:
+            client = boto3.client('iam', region_name="us-east-1")
+            response = client.list_roles()
+            roles = response.get("Roles")
+            for role in roles:
+                if "AWS" in role["AssumeRolePolicyDocument"]["Statement"][0]["Principal"]:
+                    print(role["RoleId"] + " " + role["RoleName"])
+                    print(role["AssumeRolePolicyDocument"]["Statement"][0]["Principal"]["AWS"])
+    except botocore.exceptions.ClientError as e:
+        if e.response['Error']['Code'] == 'InvalidClientTokenId':
+            sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
+        elif e.response['Error']['Code'] == 'AccessDenied':
+            print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID))
+        elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
+            print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
+        elif e.response['Error']['Code'] == 'OptInRequired':
+            print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
+        else:
+            print("Unexpected error: {}" .format(e))
+    except KeyboardInterrupt:
+        print("CTRL-C received, exiting...")

 def iam_list_policies():
    '''
--- a/modules/iam.py
+++ b/modules/iam.py
@@ -60,6 +60,12 @@ def module_iam_list_roles():
    '''
    iam_list_roles()

+def module_iam_list_roles_assumable():
+    '''
+    Lists the IAM roles that have the specified path prefix. If there are none, the operation returns an empty list.
+    python3 weirdAAL.py -m iam_list_roles -t yolo
+    '''
+    iam_list_roles_assumable()

 def module_iam_list_policies():
    '''